Winlogon.exe ??

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by JhonnyB, Feb 22, 2008.

  1. JhonnyB

    JhonnyB Private E-2

    So, I recently updated my COMODO firewall and it made a malware scan and found a Trojan in C:/Windows/system32/winlogon.exe .
    It couldn't remove it so It quarantined it and after that I couldnt reboot into windows, I would get a blue screen stop error.
    So I uninstalled comodo thorugh safe mode and now It booted just fine.No other scan recognizes this file as trojan so I dont really know what I can do.
    Any thoughts?
     
  2. JhonnyB

    JhonnyB Private E-2

    Bump, Plx
     
  3. abri

    abri MajorGeek

    Hi JhonnyB,
    Welcome to the Malware Forum!

    I advise you not to bump as it leads to scoldings. What trojan did it find? It may have been a false positive. If you're having malware symptoms go through the READ & RUN ME FIRST and attach the requested scans. Alternatively, you could go to the Alternate Scans and run BitDefender and Panda and see if they come up with anything. These can only be run with Internet Explorer. They're both good.

    Thanks.
    abri
     
  4. JhonnyB

    JhonnyB Private E-2

    I ran the online scans and they didnt detect any malware. Also I may have some symptoms but I think they can be traced to other reasons and for the most part my laptop is working fine.
    I did some reading and found out this file is genuine and has something to do with the boot process ,so that would explain why quarantining it gave me that error.
    But there are some trojans which pose as it. Still not sure why my firewall detects it as a threat, but Im more calm now.
    Thx
     
  5. abri

    abri MajorGeek

    Hi jhonny,
    If you happen to have the Combofix log and the MGlogs.zip, I could check them to see if the file you're worried about is infected. If you'd like for me to do this, please attach them to your next post.
    abri
     
  6. JhonnyB

    JhonnyB Private E-2

    Hi abri, I didnt know there was another reply here, but I have attached the files in this post, so if you can check it out it would be cool.
    Btw my OS is in czech so I dunno if that may be a problem to understand the log files.
     

    Attached Files:

  7. abri

    abri MajorGeek

    Hi JhonnyB,
    Please do the following:

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for attaching back to the forum).
    • Attach Report.txt with your next post.
    abri
     
  8. JhonnyB

    JhonnyB Private E-2

    Done, it looks like it didnt find anything.
     

    Attached Files:

  9. abri

    abri MajorGeek

    Hi JhonnyB,
    I'm always the optimist. I had hoped SDFix would pick up that lot of tmp files you have. I think what Comodo found was a false positive.

    Please do the following:

    Delete this file: C:\WINDOWS\system32\eRLog.ini

    And this folder: C:\WINDOWS\System32\drivers\down

    Then rename the following files in the box below by putting the name .old after them:
    (example: C:\WINDOWS\system32\SET479.tmp would become SET479.tmp.old)
    Also, if you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

    And finally, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.

    Let me know how things are running.
    abri
     
  10. JhonnyB

    JhonnyB Private E-2

    Done, but I dont have the C:\WINDOWS\System32\drivers\down folder on my system.
     

    Attached Files:

  11. abri

    abri MajorGeek

    Hi JhonnyB,
    If your computer is running as it should and you do not see any changes in your programs after changing the names of the tmp files, I would like for you to delete them all. They'll be these renamed with .old at the end.
    Code:
    C:\WINDOWS\SET431.tmp
    C:\WINDOWS\system32\SET479.tmp
    C:\WINDOWS\system32SET480.tmp
    C:\WINDOWS\system32SET484.tmp
    C:\WINDOWS\system32SET489.tmp
    C:\WINDOWS\system32SET464.tmp
    C:\WINDOWS\system32SET465.tmp
    C:\WINDOWS\system32SET47A.tmp
    C:\WINDOWS\system32SET47B.tmp
    C:\WINDOWS\system32SET47C.tmp
    C:\WINDOWS\system32SET481.tmp
    C:\WINDOWS\system32SET485.tmp
    C:\WINDOWS\system32SET486.tmp
    C:\WINDOWS\system32SET48B.tmp
    C:\WINDOWS\system32SET4DE.tmp
    C:\WINDOWS\system32SET4DF.tmp
    C:\WINDOWS\system32SET4EB.tmp
    After you've deleted them, please reboot and make sure your computer is still working as it should. If so, you can run the final cleanup instructions in the box below:
    abri
     
  12. JhonnyB

    JhonnyB Private E-2

    So everything is working fine :d
    Thanks a lot abri, I really appreciate it .
     
  13. abri

    abri MajorGeek

    That's good to hear.
    Enjoy your computering.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds